Безопасность различных архитектур облачных вычислений

  • Published on
    11-Nov-2014

  • View
    11.223

  • Download
    8

Embed Size (px)

DESCRIPTION

 

Transcript

<ul><li> 1. : , ! , - security-request@cisco.com</li></ul> <p> 2. 3. 4. 5. ( XaaS)PlatformInfrastructure as a Service as a ServiceSoftwareX as a Service as a Service 6. PlatformInfrastructure as a Service as a Service SoftwareX as a Serviceas a Service 7. ! 4(Access Control, Acceptable Use, Malware, Data Security)Data CenterBorderless Platform Infrastructure Software as a Serviceas a ServiceX3 as a Service as a ServiceBorderless Internet2 End ZonesBorderless1 8. Cisco ?! CSP (400+)SalesFinanceManfacturingC&amp;C PlatformCDOConsumer ITCustomer ServiceHRAcquisitions 8 9. 10. , , 11. privacy identity (eDiscovery) ompliance 12. Cisco Cloud Risk Assessment FrameworkR1: Data Risk R2: UserR3: Regulatory and Identity ComplianceAccountability R5: UserR4: Business Privacy &amp;R6: Service &amp;Continuity &amp;SecondaryData Integration Resiliency Usage of DataR7: Multi- R8: IncidentR9:tenancy &amp; Analysis &amp; Infrastructure PhysicalForensicsSecurity SecurityR10: Non-production Environment Exposure12 13. ? ? ? ? ? ? ? ? ? , , ? 14. Cisco: ? ? Cisco Cisco/Customer Data/? () ? / ? ( ) (, ) ? 14 15. ? PCI DSS ASV? ? ? ? 16. identity ? ? , ? ? SSO? ? ? ? 17. Cisco: 1. Federated Identity2. OAuth SAMLbackend APIIdentity Federation17 18. 247? ? ? ? ? 19. SLA ( ) ? DDoS 20. SLA Amazon 20 21. Cisco: C-Level Term Impact DescriptionC1Mission Imperative Any outage results in immediate cessation of a primary function, equivalent to immediate and critical impact to revenue generation, brand name and/or customer satisfaction; no downtime is acceptable under any circumstancesC2Mission Critical Any outage results in immediate cessation of a primary function, equivalent to major impact to revenue generation, brand name and/or customer satisfactionC3Business CriticalAny outage results in cessation over time or an immediate reduction of a primary function, equivalent to minor impact to revenue generation, brand name and/or customer satisfactionC4Business Operational A sustained outage results in cessation or reduction of a primary functionC5Business A sustained outage has little to no impact on a primary functionAdministrative 21 22. Cisco: Criticality Classification Matrix v3.0 Operational Continuity Disaster Recovery (Planned and Unplanned Downtime)Acceptable ReducedRecoveryRecovery Reduced Planned Recovery Acceptable PerformanceTimePointPerformanceAdjustedDowntime Time Data Loss AcceptableObjective Objective AcceptableAvailabilit Acceptabl (ART, (ADL, (Single DC(RTO, in(RPO, in (Large-Scale Criticalit Distriby Ceiling e?hours)Hours)Loss)? Hours)Hours) Disaster)?y Level-utionUp to 99.999% N~0~0N n/a**n/a n/a C1 &lt; 5%Up to 99.995% N10N41N C2Up to 99.99% Y40N24 1Y C3~10%Up to99.9% Y24 1Y4824Y C4&gt; 60%Up to99.9% YBest Effort 24YBest Effort1 wk Y C5&lt; 25% ART = Maximum downtime following incidents (up to and including one DC in Metro down) ADL = Maximum data loss following incidents (up to and including one DC in Metro down) RTO = Maximum downtime for applications following large-scale disaster (multiple Tier-III DCs in Metro down, highlyunlikely) RPO = Maximum data loss following large-scale disaster (multiple Tier-III DCs in Metro down, highly unlikely)** Targeting distributed architectures (active/active over large distance) to meet service continuity requirements without DRinvocation 22 23. OWASP ? Web Application Firewall Database Firewall 24. , ? 25. Privacy ? ? ? ? ? , .. ? 26. , ? ? ? 27. ? ? ? ?? 28. Compliance ! 29. SLA? 30. , ? ? ? ? ? , , 31. ? ? ? ? ? ? ? ? 32. ? 33. - 15408, (-) 34. , 382- .. 1.1-2007 1.0-2010 2.2-2009 2.3-2010 v11.2-2010 v4 2.0-20072.1-2007v1 v1v32.4-2010v1v1 v1 () 35. (+ ) / (+ ) BCP (, , PCI) (Web, ) (, ) 36. 37. 3 - 38. compliance ()() 39. vs ? AggregationApplicationVirtual Storage IP-NGNVSwitch Compute Accessand Core Edge Software Machine&amp; SANBackboneServices App App OS App OS OSVirtual Device Fabric-Hosted ContextsStorage App Virtualization App OSFirewall Virtual DeviceInternet App OS ServicesContexts OSStorageMedia Secure App AppEncryptionDomain App OS OSRouting OSIP-NGNServiceProfiles Port Profiles &amp;Virtual VN-Link MachineLine-RateOptimization NetFlow Fibre ChannelForwardingPartners Port Profiles &amp;VN-Link Fabric App Extension App OSApplication App OS Control OS(SLB+) Service Control App App OS Virtual App OS Contexts for OS FW &amp; SLB 40. 41. UCS Fabric Interconnect/ ACL VPN TrustSec (SGT) (SXP) (VLAN, VRF) ACL- () 42. - . , (IPS), ( -) -. / (VMware, Hyper-V) 43. 1. VMware 2. 3. , 4. 44. VMware? Hyper-V ( )? KVM?........ Nexus Nexus 1000V 1000VVEM VEMNexus 1000VVMware vSphere Nexus 1000V Windows 8 Hyper-V VSMVSMVMware vCenter SCVMM ? 45. , 46. 47. 6 Multi-tenancy ( ) !!! 48. = = , 49. ( ) 50. ( = ) X Y 1 2 4 3 5 web- IPsec VPN Cisco ASA : X X web- , X X web- 1 1 . VPN- . 51. /VMs/Containers IaaS PaaSSaaS 52. IaaS PaaSSaaS , ( ) , , 53. 54. ( ) 55. 56. compliance: 57. compliance: (eDiscovery) 58. 59. 60. , , . - , , , - . , , , , 27 2011 61. 62. 65 63. ! (ERP) (Service Desk) (HRM) (ORM) (SRM) (SCM) 64. , , 65. ? ( ) (IPTV) (-) ( ..) ( ..) ? ? ? , ? 66. , 27 2005 . 538 , - 16 2008 . 6 - . I. 27.05.2010 . 73 - . II. Webex (- Web-) 67. ? , (Google, Oracle, Microsoft/Skype ..) 68. 69. ? ? , ? , ? , ? 70. () (PCI DSS, ISO 27001, ..) , ? ? , , , - - , - 71. 72. , / -152 , , , -152 , 73. 74. ( ) () , .19 -152 75. , , , -152 , , 76. , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , 77. , , , 78. 79. 80. ?! , , , ?! 81. 82. ! </p>